Commit c2a350a3 authored Apr 30, 2024 by Jean Delvare Committed by Greg Kroah-Hartman Jul 18, 2024

firmware: dmi: Stop decoding on broken entry



[ Upstream commit 0ef11f604503b1862a21597436283f158114d77e ]

If a DMI table entry is shorter than 4 bytes, it is invalid. Due to
how DMI table parsing works, it is impossible to safely recover from
such an error, so we have to stop decoding the table.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Link: https://lore.kernel.org/linux-kernel/Zh2K3-HLXOesT_vZ@liuwe-devbox-debian-v2/T/


Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 03f37e56

drivers/firmware/dmi_scan.c

+11 −0

Original line number	Diff line number	Diff line
		@@ -95,6 +95,17 @@ static void dmi_decode_table(u8 *buf,
		(data - buf + sizeof(struct dmi_header)) <= dmi_len) {
		const struct dmi_header dm = (const struct dmi_header )data;

		/*
		* If a short entry is found (less than 4 bytes), not only it
		* is invalid, but we cannot reliably locate the next entry.
		*/
		if (dm->length < sizeof(struct dmi_header)) {
		pr_warn(FW_BUG
		"Corrupted DMI table, offset %zd (only %d entries processed)\n",
		data - buf, i);
		break;
		}

		/*
		* We want to know the total length (formatted area and
		* strings) before decoding to make sure we won't run off the